P
US10693796B2ActiveUtilityPatentIndex 47

Persistent flow identifiers enabling disparate applications

Assignee: IBMPriority: Jun 10, 2016Filed: Dec 3, 2018Granted: Jun 23, 2020
Est. expiryJun 10, 2036(~9.9 yrs left)· nominal 20-yr term from priority
Inventors:BIRD WILLIAM ACouturier RussellDHEAP VIJAYJOHNSTONE PATRICK VWUEST BEN AAGERHOLM ALEX OMØ
H04L 43/106Y02D30/50H04L 63/30H04L 43/026H04L 47/2441H04L 43/12H04L 47/2416H04L 69/28H04L 45/70Y02D50/30
47
PatentIndex Score
0
Cited by
34
References
15
Claims

Abstract

Embodiments provide a system and method for network tracking. By using packet capture applications having a flow identifier and a time stamper, one or more raw packets from one or more packet flows intercepted from a network can be tagged with a unique identifier and timestamp that can later be used to aggregate packet flows that have been analyzed by one or more capture applications. The unique identifier can relate to the network interface of the particular capture application and can also have an increasing value, where the increase in value can be monotonic. Later capture applications, while capable of generating secondary timestamps, can disregard those secondary timestamps for the primary timestamp of the first capture application in order to remove complications arising from latency issues.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement a network tracking system, the method comprising:
 receiving, by a first capture application connected to a network tap, one or more packet flows comprising one or more packets, transmitted through a network; 
 identifying, by the first capture application, one or more beginning packets of the one or more packet flows; 
 tagging, by the first capture application, each packet of the one or more packet flows with a flow identifier, wherein the flow identifier includes a unique identifier and an increasing value; 
 associating, by the first capture application, the unique identifier with an identifier of the network tap, wherein the unique identifier is a MAC address of a network interface card of the network tap; 
 tagging, by the first capture application, each packet of the one or more packet flows with a timestamp; and 
 forwarding, by the first capture application, one or more tagged packets to a second capture application connected to the network tap. 
 
     
     
       2. The method as recited in  claim 1 , further comprising:
 tagging, by the second capture application connected to the network tap, each packet of the tagged one or more packet flows with a second timestamp; 
 forwarding, by the second capture application, the one or more tagged packets to a third capture application; and 
 disregarding, by the third capture application, the second timestamp. 
 
     
     
       3. The method as recited in  claim 1 , further comprising:
 increasing the increasing value monotonically with each unique packet flow identified. 
 
     
     
       4. The method as recited in  claim 1 , further comprising:
 tagging the one or more packet flows through packet encapsulation. 
 
     
     
       5. The method as recited in  claim 1 , further comprising:
 tagging the one or more packet flows through one or more firmware application program interfaces. 
 
     
     
       6. A computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement a network tracking system, the method comprising:
 receiving from a network, through a first capture application connected to a network tap, one or more packet flows comprising one or more raw packets; 
 tagging, by the first capture application, each raw packet with a timestamp; 
 tagging, by the first capture application, each raw packet with a flow identifier, wherein the flow identifier includes a unique identifier and an increasing value; 
 associating, by the first capture application, the unique identifier with an identifier of the network tap, wherein the unique identifier is a MAC address of a network interface card of the network tap; and 
 forwarding, by the first capture application, the one or more tagged packets to a second capture application connected to the network tap. 
 
     
     
       7. The method as recited in  claim 6 , further comprising:
 receiving, through the second capture application, the one or more tagged packets; 
 tagging, by the second capture application, each packet with a second timestamp; 
 tagging each packet with a second flow identifier, wherein the second flow identifier includes a second unique identifier and a second increasing value; and 
 forwarding, by the second capture application, the one or more tagged packets to a third capture application; and 
 disregarding, by the third capture application, the second timestamp and the second flow identifier. 
 
     
     
       8. The method as recited in  claim 7 , further comprising:
 aggregating the one or more tagged packets using each tagged packet's flow identifier. 
 
     
     
       9. The method as recited in  claim 6 , further comprising:
 increasing the increasing value monotonically with each unique packet flow identified by the particular capture application. 
 
     
     
       10. The method as recited in  claim 6 , further comprising:
 tagging the one or more packet flows through packet encapsulation. 
 
     
     
       11. The method as recited in  claim 6 , further comprising:
 tagging the one or more packet flows through one or more firmware application program interfaces. 
 
     
     
       12. A computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement a network tracking system, the method comprising:
 tagging, through a first capture application connected to a network tap, one or more packet flows comprising one or more raw packets of network data with a flow identifier and a primary timestamp, wherein the flow identifier includes a unique identifier and an increasing value; 
 associating, through the first capture application, the unique identifier with an identifier of the network tap, wherein the unique identifier is a MAC address of a network interface card of the network tap; 
 forwarding, through the first capture application, one or more tagged packet flows to a second capture application connected to the network tap; 
 tagging, through the second capture application, the one or more tagged packet flows with a secondary timestamp based on the time received by the second capture application; 
 forwarding, through the second capture application, the one or more tagged packet flows to a third capture application connected to the network tap; and 
 replacing, through the third capture application, the secondary timestamp with the primary timestamp. 
 
     
     
       13. The method as recited in  claim 12 , further comprising:
 increasing, through first capture application, the increasing value monotonically with each unique packet flow identified by the particular first capture application. 
 
     
     
       14. The method as recited in  claim 12 , further comprising:
 tagging, through first capture application, the one or more packet flows through packet encapsulation. 
 
     
     
       15. The method as recited in  claim 12 , further comprising:
 tagging, through first capture application, the one or more packet flows through one or more firmware application program interfaces.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.